People readable

Nefarious tricksters have started to use self-adhesive QR codes to scam unsuspecting smart phone users according to a news reporting comments from a not-necessarily independent Symantec spokesperson.

In theory, though, this is social engineering genius. Whack a QR code onto a bit of sticky paper, in turn whack that onto a popular advert (The Hobbit, say…) and then watch the hits flood in. Actually, I’m intrigued to know how many hits you’d actually get, because as I’ve argued before, I do believe QR Codes to be pretty much useless…

But why would this be so effective? Well, because QR codes are completely unreadable by people. And that should make them totally untrustworthy, but somehow the gadgetyness of them draws certain people in…

I recalled another example of this a few weeks ago when talking with a chap from Visa Europe. In the days before Chip & PIN, the Royal Bank of Scotland used to offer a bank card that had the owner’s mug shot and signature digitally printed on the back, rather than the plain signing strip that was more common.

In 1999 I had the unpleasant experience of being mugged just on the outskirts of what’s now know as TechCity. The mugger, having scared the living daylights out of me, slowly looked through the contents of my wallet. He plucked out the cash, and then started on the credit cards. The first one he took out was my RBS photocard, and, taking one look at the photo on the back, he popped it back into my wallet, gave it back to me, and ran off. There were differences in our ethnicity that would have made it pretty challenging for him to pass himself off as me without permanently hiring a makeup artist.

These days, all that stands between me and payments is a four-digit PIN. There is nothing on the card that can allow another person to identify me – the PIN just authorises transactions, and can be given to (or observed) by anyone. It works great for the bank, because through Chip & PIN they can refuse to reimburse for any payment made through the model on the basis of the customer being negligent with their passcode. Similarly, merchants are easily able to refute challenged transactions if the PIN was correctly entered.

The photocards continued for a while after Chips were installed onto cards, but RBS eventually dropped the service. I’ve never felt quite as secure ever since…